Every day a new Tip about Office 365

Menu

ADFS vs DirSync with Password Sync: The User Experience

I promised to do a comparison and pro/con around using ADFS with Single SignOn (SSO) and at the time the newly released Password Sync with the new DirSync tool. Well finally here it is, and with thanks to a fellow co-worker, JC Warner for developing the below table based on research and his experience using both. JC also used the following Microsoft white paper “Office365-Single Sign-On-with-AD-FS2.0-v1.0a”

So here is the Table that compares the end user experience using ADFS and DirSync with Password Sync enabled:

Access Method

ADFS

DirSync w/ Password

Verdict

Outlook 2010/2013

Prompted for credentials on first connection (and at each password change) with checkbox to remember them.

Prompted for credentials on first connection (and at each password change) with checkbox to remember them.

Draw, both have the same experience

ActiveSync, POP, IMAP

Prompted for credentials on first connection (and at each password change) with checkbox to remember them.

Prompted for credentials on first connection (and at each password change) with checkbox to remember them.

Draw, both have the same experience

MS Online Portal, SharePoint Online, Office Web Apps

Internal: Pop up offers click to sign in with no credentials required (External Forms Based Prompted)

Prompted for credentials on first connection (and at each password change) with checkbox to remember them

Better experience for ADFS while internal to company network, draw when external

OWA

Internal: Seamless (External Forms Based Prompted)

Prompted for credentials on first connection (and at each password change) with checkbox to remember them

Better experience for ADFS while internal to company network, draw when external

Lync 2010/2013

Seamless (with Sign on Assistance installed for Lync 2010)

Prompted for credentials on first connection (and at each password change) with checkbox to remember them.

Better experience for ADFS

As you can see above, overall for an end user experience when the user is internal to the company network ADFS offers a better experience. But when you take into account the additional administrative and server overhead needed to implement ADFS and SSO, I still would recommend Password Sync to a company. This is especially relevant to small companies who are moving to Office 365 to remove on-premises servers and resources from their environment. The caveat to this would be if a company already has ADFS deployed for another reason, federation with a partner or other SaaS provider, then using ADFS for Office 365 makes sense.

I will always lead with Password Sync versus ADFS and SSO. I just think with the cloud movement removing reliance on on-premises infrastructure for authentication is the right move. Now with Password Sync companies can reduce the sever footprint on-premises and fully ensure that if on-premises infrastructure goes dark that user can still access and authenticate to Office 365 resources.